A technique for quickly finding existing reverse (PTR) entries in ip6.arpa- zones occurred to me recently. A cursory internet search reveals little about the subject, suggesting nobody else may have connected these dots before. So, I wrote a rudimentary tool to test the idea. Results: AWESOME. One tested /48 containing, apparently, 737 reverse PTRs, was fully scanned with just 14785 queries.
The method is best explained using an example. This example uses the IPv6 Address Prefix Reserved for Documentation.
Let’s assume that within
2001:DB8::/32 there is
which has reverse DNS hosted in a zone called
Now, given the zone name (let’s call it
X to be slightly easier on the
eyes), we can query
2.X etc. up to and including
of these queries will return an NXDOMAIN rcode; this means the name does not
exist, but very importantly, this can usually be construed to mean that no
longer name exists either. Suppose that in this case, two of the names (
f.X) do not return NXDOMAIN – instead they return NOERROR. This means
the nameserver has a reason to not deny existence, and in this case, that
reason is that a longer name exists.
We tested 16 prefixes of
X and have rejected 14 due to NXDOMAIN; by that, we
have reduced our search space from a full /48 to 1/8th of a /52 – a 128-fold
reduction with just 16 queries. This trend continues at every step.
Note that whether this works depends on how a nameserver handles requests for these shortened names (the technical term is ‘empty non-terminals’). BIND and NSD return NOERROR and NXDOMAIN as described above; tinydns and PowerDNS in most setups will not.
As said above, I could not find any previous work applying this feature of DNS to the mapping of reverse zones. If you do know of anything, let me know and I will update this post.
Please read my followup post.